A Chinese state-sponsored threat group, Gallium, has been observed using a new RAT named PingPull. It is used against financial and government entities in Europe, Africa, and Southeast Asia.

Use of PingPull

Researchers from Unit42 have observed the Gallium group using the PingPull RAT in their recent campaigns. Further, the RAT is described as particularly stealthy and used in espionage operations.
  • PingPull RAT deploys a reverse shell on the targeted machine to execute remote commands.
  • Three distinct variants of malware were observed using different C2 communication protocols, such as HTTPS, ICMP, and TCP.
  • The reason behind using different C2 protocols might be to avoid certain network detection tools.
  • It installs itself as a service and simulates a legitimate service to discourage users from terminating it.

Victim profile

The targeted entities are based in Australia, Russia, the Philippines, Belgium, Vietnam, Malaysia, Cambodia, and Afghanistan. The group focuses on the finance, telecommunications, and government sectors.

Brief about Gallium

Gallium, believed to originate from China, performs espionage attacks aligned with the interest of the nation.
  • Unit 42 uncovered and linked Gallium operations with 170 IP addresses, some of which are dated back to late-2020.
  • In 2019, the group’s target set was limited to only telecommunication service providers.


Gallium now uses PingPull RAT, which shows that the group is still active and evolving. Thus, organizations are recommended to use the IOCs provided in the Unit 42 report. Furthermore, organizations should subscribe to a threat intelligence service for a proactive response to such threats.
Cyware Publisher